www.GossamerSec.com Assurance Activity Report for Brocade Communications Systems, Inc. Brocade MLX® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Version 1.1 03/31/2015 Prepared by: Gossamer Security Solutions Accredited Security Testing Laboratory – Common Criteria Testing Catonsville, MD 21228 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Document: AAR-BrocadeNetIron58 © 2015 Gossamer Security Solutions, Inc.
Version 1.1, 03/31/2015 REVISION HISTORY Revision Version 1.0 Version 1.1 Date 03/06/15 03/31/15 Authors Compton/Keenan/Van Compton Summary Completed to include final evaluation findings Addressed ECR Comments The TOE Evaluation was sponsored by: Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Evaluation Personnel: Tammy Compton Chris Keenan Khai Van Common Criteria Versions: Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.
Version 1.1, 03/31/2015 TABLE OF CONTENTS 1. Introduction ...........................................................................................................................................................5 2. Protection Profile SFR Assurance Activities ...........................................................................................................6 2.1 Security audit (FAU) ............................................................................................................
Version 1.1, 03/31/2015 2.6 2.6.1 Extended: Protection of Administrator Passwords (FPT_APW_EXT.1) .................................................38 2.6.2 Extended: Protection of TSF Data (for reading of all symmetric keys) (FPT_SKP_EXT.1) .....................39 2.6.3 Reliable Time Stamps (FPT_STM.1).......................................................................................................40 2.6.4 TSF Testing (FPT_TST_EXT.1) .............................................................
Version 1.1, 03/31/2015 1. INTRODUCTION This Assurance Activity Report (AAR) presents evaluations results of the Brocade MLX® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Protection Profile for Network Devices (NDPP) evaluation. Note that additional testing results can be found in a separate, proprietary Detailed Test Report: Evaluation Team Test Report for Brocade MLX® and NetIron® Family Devices with Multi-Service IronWare R05.8.00, Version 1.1, 03/31/2015 (DTR).
Version 1.1, 03/31/2015 2. PROTECTION PROFILE SFR ASSURANCE ACTIVITIES This section of the AAR identifies each of the assurance activities included in the claimed Protection Profile and describes the findings in each case. The following evidence was used to complete the Assurance Activities: AA report v11 Brocade Communications Systems, Inc. Brocade MLX® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target, Version 0.
Version 1.1, 03/31/2015 The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP. The evaluator shall examine the administrative guide and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP.
Version 1.1, 03/31/2015 Requirement Auditable Events Session. Establishment/Termination 1 of a TLS session. Additional Audit Record Contents failure. Non-TOE endpoint of connection (IP address) for both successes and failures. Guidance Location Informational Message Security telnet | SSH | web access [by username] from src IP source ip address, src MAC source MAC address rejected, n attempts..
Version 1.1, 03/31/2015 Requirement Auditable Events Additional Audit Record Contents Guidance Location username] from src IP source ip address Failure telnet | SSH | web access [by username] from src IP source ip address, src MAC source MAC address rejected, n attempts access attempts from the specified source IP and MAC address. • [by user username] does not appear if telnet or SSH clients are specified.
Version 1.1, 03/31/2015 Requirement FTA_SSL.3 Auditable Events The termination of a remote session by the session locking mechanism. Additional Audit Record Contents No additional information. Guidance Location and the user must the log back in (see FIA_UIA_EXT.1). Administration Guide, Appendix A Informational Message Security: telnet | SSH logout by username from src IP ip-address, src MAC mac-address to USER | PRIVILEGE EXEC mode The specified user logged out of the device.
Version 1.1, 03/31/2015 Requirement Auditable Events Additional Audit Record Contents Guidance Location SSL Syslog server ip-address:portnum is now disconnected FIPS Guide Logging CLI_CMD operation enabled by user from console session.
Version 1.1, 03/31/2015 security settings though the process of testing. As such, they are all identified in the DTR, along with the results and corresponding audit records.
Version 1.
Version 1.1, 03/31/2015 Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.1.2 USER IDENTITY ASSOCIATION (FAU_GEN.2) 2.1.2.1 FAU_GEN.2.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.1.3 EXTERNAL AUDIT TRAIL STORAGE (FAU_STG_EXT.1) 2.1.3.1 FAU_STG_EXT.1.
Version 1.1, 03/31/2015 The evaluator shall examine the TSS to ensure it describes the connection supported from non-TOE entities to send the audit data to the TOE, and how the trusted channel is provided. Testing of the trusted channel mechanism will be performed as specified in the associated assurance activities for the particular trusted channel mechanism.
Version 1.1, 03/31/2015 the TOE. The evaluator shall observe that these data are not able to be viewed in the clear during this transfer, and that they are successfully received by the TOE. The evaluator shall perform this test for each protocol selected in the second selection. TOE is not an audit server Testing of the trusted channel mechanism will be performed as specified in the associated assurance activities for the particular trusted channel mechanism.
Version 1.1, 03/31/2015 FCS_CKM.1.1 selected NIST Special Publication 800-56B, so the evaluator expected to find only that publication addressed in the TSS. Section 6.2, Table 6, addresses SP 800-56B with section references, indications of whether identified features are implemented and where the implementation disagrees with the recommendation a rationale is provided. Note that no such deviations are identified.
Version 1.1, 03/31/2015 2. 3. When they are zeroized: The paragraph following the list identified above indicates they are destroyed when no longer needed and that is followed up with more detail in some cases. Type of zeroization procedure: The paragraph following the list identified above indicates that in FLASH values are either overwritten once with zeros or overwritten with a new value. In RAM values are overwritten once with zeroes.
Version 1.1, 03/31/2015 2.2.4 CRYPTOGRAPHIC OPERATION (FOR CRYPTOGRAPHIC SIGNATURE) (FCS_COP.1(2)) 2.2.4.1 FCS_COP.1(2).
Version 1.1, 03/31/2015 The TOE has been FIPS approved. The SHA certificate numbers are 2282 and 2280. 2.2.6 CRYPTOGRAPHIC OPERATION (FOR KEYED-HASH MESSAGE AUTHENTICATION) (FCS_COP.1(4)) 2.2.6.1 FCS_COP.1(4).1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: The evaluator shall use 'The Keyed-Hash Message Authentication Code (HMAC) Validation System (HMACVS)' as a guide in testing the requirement above.
Version 1.1, 03/31/2015 2.2.7.2 FCS_HTTPS_EXT.1.2 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined Component Assurance Activities: The evaluator shall check the TSS to ensure that it is clear on how HTTPS uses TLS to establish an administrative session, focusing on any client authentication required by the TLS protocol vs. security administrator authentication which may be done at a different level of the processing stack.
Version 1.1, 03/31/2015 Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.2.8.2 FCS_RBG_EXT.1.2 TSS Assurance Activities: Documentation shall be produced—and the evaluator shall perform the activities—in accordance with Annex D, Entropy Documentation and Assessment of the NDPP. The Entropy description is provided in a separate (non-ST) document that has been delivered to CCEVS for approval and has been accepted.
Version 1.1, 03/31/2015 Implementations Conforming to NIST Special Publication 800-90 The evaluator shall perform 15 trials for the RBG implementation. If the RBG is configurable, the evaluator shall perform 15 trials for each configuration. The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the RBG functionality.
Version 1.1, 03/31/2015 2.2.9 EXPLICIT: SSH (FCS_SSH_EXT.1) 2.2.9.1 FCS_SSH_EXT.1.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.2.9.2 FCS_SSH_EXT.1.2 TSS Assurance Activities: The evaluator shall check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSH_EXT.1.
Version 1.1, 03/31/2015 2.2.9.3 FCS_SSH_EXT.1.3 TSS Assurance Activities: The evaluator shall check that the TSS describes how 'large packets' in terms of RFC 4253 are detected and handled. Section 6.2 explains that there is a 256K packet buffer and as SSH packets are received they are combined to form a complete packet to be decrypted, but if the packet is not completed when the buffer becomes full the packet will be dropped.
Version 1.1, 03/31/2015 Testing Assurance Activities: The evaluator shall also perform the following test: Test 1: The evaluator shall establish a SSH connection using each of the encryption algorithms specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test. The evaluator used the SecureCRT client to connect to the TOE using ASE 128 and ASE 256 encryption.
Version 1.1, 03/31/2015 The evaluator shall also perform the following test: Test 1: The evaluator shall establish a SSH connection using each of the integrity algorithms specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test. This test was completed in conjunction with FCS_SSH_EXT.1.5.
Version 1.1, 03/31/2015 TSS Assurance Activities: The evaluator shall check the description of the implementation of this protocol in the TSS to ensure that the ciphersuites supported are specified. The evaluator shall check the TSS to ensure that the ciphersuites specified are identical to those listed for this component. The SFR claims only the required 4 ciphers and those are identified in section 6.2 of the TSS. Section 6.2 also indicates that TLSv1.0, v1.1, and v1.
Version 1.1, 03/31/2015 Test 1 - The connection between the syslog server and the TOE is secured using TLS. The evaluator established a connection between the two machine using each of the claimed ciphersuites. The evaluator repeated this test with the management connection on the MLX machine. Test 2 – The evaluator created a TLS connection between the TOE and a test server. The evaluator then created packets that modified each of the required options.
Version 1.1, 03/31/2015 2.4.1.1 FIA_PMG_EXT.1.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: The evaluator shall examine the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. The Configuring the strict password rules section of the Security Configuration Guide describes how to turn on strict password enforcement.
Version 1.1, 03/31/2015 2.4.2.1 FIA_UAU.7.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: The evaluator shall perform the following test for each method of local login allowed: Test 1: The evaluator shall locally authenticate to the TOE. While making this attempt, the evaluator shall verify that at most obscured feedback is provided while entering the authentication information.
Version 1.1, 03/31/2015 2.4.4 USER IDENTIFICATION AND AUTHENTICATION (FIA_UIA_EXT.1) 2.4.4.1 FIA_UIA_EXT.1.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.4.4.2 FIA_UIA_EXT.1.
Version 1.1, 03/31/2015 The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre-shared keys, tunnels, certificates, etc.) to logging in are described. For each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on.
Version 1.1, 03/31/2015 2.5.1 MANAGEMENT OF TSF DATA (FOR GENERAL TSF DATA) (FMT_MTD.1) 2.5.1.1 FMT_MTD.1.1 TSS Assurance Activities: The evaluator shall examine the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to administrator log-in are identified.
Version 1.1, 03/31/2015 Information flow policy ACLs o The Security Configuration Guide includes instructions for “Layer 2 Access Control Lists”, “Access Control List”, “Configuring an IPv6 Access Control List”, “Configuring 802.1X Port Security”, “Using MAC Port Security Feature”, “Protecting against Denial of Service Attacks”, and “Configuring Multi-Device Port Authentication” that collectively provide instructions for configuring information flow rules.
Version 1.1, 03/31/2015 o Attacks”, and “Configuring Multi-Device Port Authentication” that collectively provide instructions for configuring information flow rules. Warning banner The Security Configuration Guide includes instructions for “Setting a message of the day banner” which provides instructions for a Banner image. The evaluator observed the banner during testing for each of the console, SSH session, and Web interface. Testing Assurance Activities: None Defined 2.5.
Version 1.1, 03/31/2015 2.5.3.1 FMT_SMR.2.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.5.3.2 FMT_SMR.2.2 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.5.3.3 FMT_SMR.2.
Version 1.1, 03/31/2015 performed on the client for remote administration. In the course of performing the testing activities for the evaluation, the evaluator shall use all supported interfaces, although it is not necessary to repeat each test involving an administrative action with each interface.
Version 1.1, 03/31/2015 2.6.1.2 FPT_APW_EXT.1.2 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined Component Assurance Activities: The evaluator shall examine the TSS to determine that it details all authentication data that are subject to this requirement, and the method used to obscure the plaintext password data when stored.
Version 1.1, 03/31/2015 Component Assurance Activities: The evaluator shall examine the TSS to determine that it details how any preshared keys, symmetric keys, and private keys are stored and that they are unable to be viewed through an interface designed specifically for that purpose, as outlined in the application note in the NDPP. If these values are not stored in plaintext, the TSS shall describe how they are protected/obscured. Section 6.
Version 1.1, 03/31/2015 The evaluator set the local clock from the console and observed the time change. The evaluator then configured a NTP server and had the appliance connect to the NTP server and update the time. The evaluator observed the time update from the NTP server. 2.6.4 TSF TESTING (FPT_TST_EXT.1) 2.6.4.1 FPT_TST_EXT.1.
Version 1.1, 03/31/2015 2.6.5 EXTENDED: TRUSTED UPDATE (FPT_TUD_EXT.1) 2.6.5.1 FPT_TUD_EXT.1.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.6.5.2 FPT_TUD_EXT.1.2 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined 2.6.5.3 FPT_TUD_EXT.1.
Version 1.1, 03/31/2015 Component Assurance Activities: Updates to the TOE either have a hash associated with them, or are signed by an authorized source. If digital signatures are used, the definition of an authorized source is contained in the TSS, along with a description of how the certificates used by the update verification mechanism are contained on the device. The evaluator ensures this information is contained in the TSS.
Version 1.1, 03/31/2015 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: The evaluator shall perform the following test: Test 1: The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component. For each period configured, the evaluator establishes a remote interactive session with the TOE.
Version 1.1, 03/31/2015 2.7.3.1 FTA_SSL_EXT.1.1 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: The evaluator shall perform the following test: Test 1: The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component. For each period configured, the evaluator establishes a local interactive session with the TOE.
Version 1.1, 03/31/2015 Test 1: The evaluator follows the operational guidance to configure a notice and consent warning message. The evaluator shall then, for each method of access specified in the TSS, establish a session with the TOE. The evaluator shall verify that the notice and consent warning message is displayed in each instance.
Version 1.1, 03/31/2015 2.8.1.3 FTP_ITC.1.3 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined Component Assurance Activities: The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity.
Version 1.1, 03/31/2015 Further assurance activities are associated with the specific protocols. Test 1 – The syslog server communication path was tested as part of setting up the syslog server connection. The update server connection was tested as part of testing an update. Test 2 - The syslog server communication path (TLS) was tested as part of setting up the syslog server connection. The update server connection (SSH) was tested as part of testing an update.
Version 1.1, 03/31/2015 2.8.2.3 FTP_TRP.1.3 TSS Assurance Activities: None Defined Guidance Assurance Activities: None Defined Testing Assurance Activities: None Defined Component Assurance Activities: The evaluator shall examine the TSS to determine that the methods of remote TOE administration are indicated, along with how those communications are protected.
Version 1.1, 03/31/2015 Test 2 – The evaluator was unable to find a method of using SSH without invoking the trusted path. The communications path was always encrypted and used the servers key. Likewise the HTTPS connection already required encryption. Test 3 – The evaluator tested the correctness of the SSH encryption when testing the FCS_SSH_EXT.1 requirement and tested HTTPS when testing the FCS_HTTPS_EXT.1 requirement. GSS CCT Evaluation Technical Report Document: AAR-BrocadeNetIron5.
Version 1.1, 03/31/2015 3. PROTECTION PROFILE SAR ASSURANCE ACTIVITIES The following sections address assurance activities specifically defined in the claimed Protection Profile that correspond with Security Assurance Requirements. 3.1 DEVELOPMENT (ADV) 3.1.1 BASIC FUNCTIONAL SPECIFICATION (ADV_FSP.1) Assurance Activities: There are no specific assurance activities associated with these SARs.
Version 1.1, 03/31/2015 The operational guidance shall contain instructions for configuring the cryptographic engine associated with the evaluated configuration of the TOE. It shall provide a warning to the administrator that use of other cryptographic engines was not evaluated nor tested during the CC evaluation of the TOE. The documentation must describe the process for verifying updates to the TOE, either by checking the hash or by verifying a digital signature.
Version 1.1, 03/31/2015 3.3 LIFE-CYCLE SUPPORT (ALC) 3.3.1 LABELLING OF THE TOE (ALC_CMC.1) Assurance Activities: The evaluator shall check the ST to ensure that it contains an identifier (such as a product name/version number) that specifically identifies the version that meets the requirements of the ST. The evaluator shall ensure that this identifier is sufficient for an acquisition entity to use in procuring the TOE (including the appropriate administrative guidance) as specified in the ST.
Version 1.1, 03/31/2015 The test plan identifies the platforms to be tested, and for those platforms not included in the test plan but included in the ST, the test plan provides a justification for not testing the platforms. This justification must address the differences between the tested platforms and the untested platforms, and make an argument that the differences do not affect the testing to be performed.
Version 1.
Version 1.1, 03/31/2015 The differences between the models of a given family include AC vs. DC power, fiber vs. copper network connections, and number of available network ports. None of these differences was considered security relevant since none of the NDPP security requirements, nor the functions to address them, are related to any of these product characteristics.
